Hitman Pro Support and Discussion Thread

Discussion in 'other anti-malware software' started by yashau, Mar 20, 2009.

  1. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Interesting. Can you send the minidump from C:\Windows\Minidump via wetransfer.com ?
     
  2. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Is he running sptd.sys (usually from Deamon Tools) ? That may cause this message in EWS.
     
  3. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Solved. Thanks.
     
  4. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Solved. Author should add some resource info to this driver. Nowadays it is not done to release an anonymous driver :blink:
    Thanks for reporting though :thumb:
     
  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Mops21 is running in EWS. Anything listed there are NOT FPs.
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Not sure, and I currently no longer have access to the pc. But because she has installed a pirated version of MS Office, she was afraid Windows update could cripple office when that was detected so she turned it off and had no windows update installed since August. That and old versions of java and shockwave make for more holes than every swiss cheese known to mankind :p So it could be everything, though HMP didn't detect anything except some babylon/facemoods etc adware and 1 tracking cookie. I also ran TDSSkiller with reboot to install driver for loaded modules scan and it only detected TDLFS filesystem, which could be the same HMP detected, but it didn't have additional info.
     
  7. desert_by_night

    desert_by_night Registered Member

    Joined:
    Apr 27, 2012
    Posts:
    30
    Location:
    Portugal

    Hi Erik.
    I forgot or email can you post here please,i will send right way the minidump.
     
  8. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,731
    Location:
    Germany
    Hi

    Thank you very much
     
  9. garack

    garack Registered Member

    Joined:
    Jan 15, 2013
    Posts:
    12
    Hey what means WRP RUN on the scan-results?

    RUN - Start with System start i assume..

    And WRP?

    winsrv.dll and ieframe.dll on system32
     
  10. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,731
    Location:
    Germany
    Hi

    What did you mean with your answer Erik can you explain me
     
  11. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    fps
    Threats . . . . . . . : 1
    Traces . . . . . . . : 17

    Objects scanned . . . : 559.499
    Files scanned . . . . : 16.313
    Remnants scanned . . : 142.255 files / 400.931 keys

    Malware _____________________________________________________________________

    C:\Programme\ffdshow\ffdshow.ax -> Quarantined
    Size . . . . . . . : 3.470.848 bytes
    Age . . . . . . . : 4.1 days (2013-02-14 16:42:5:cool:
    Entropy . . . . . : 6.6
    SHA-256 . . . . . : 35478D2BADC2A3E4E60347ABE834367845889659AD502C86D4A261C543C02ED7
    Product . . . . . : ffdshow
    Description . . . : DirectShow and VFW video and audio decoding/encoding/processing filter
    Version . . . . . : 1.2.4422.0
    Copyright . . . . : Copyright © 2002-2012
    > HitmanPro . . . . : Win32/Ransomware.Behavior
    Fuzzy . . . . . . : 12.0
    References
    C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\ffdshow\Audiodekoder-Konfiguration.lnk
    C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\ffdshow\Videodekoder-Konfiguration.lnk
    C:\Programme\ffdshow\openIE.js
    Forensic Cluster
    -0.9s C:\Programme\ffdshow\
    -0.9s C:\Programme\ffdshow\unins000.dat
    -0.9s C:\Programme\ffdshow\unins000.exe
    -0.7s C:\Programme\ffdshow\ffmpeg.dll
    -0.5s C:\Programme\ffdshow\ff_liba52.dll
    -0.4s C:\Programme\ffdshow\ff_libdts.dll
    -0.4s C:\Programme\ffdshow\ff_libfaad2.dll
    -0.3s C:\Programme\ffdshow\ff_libmad.dll
    -0.3s C:\Programme\ffdshow\ff_unrar.dll
    -0.3s C:\Programme\ffdshow\ff_samplerate.dll
    -0.1s C:\Programme\ffdshow\ff_kernelDeint.dll
    -0.1s C:\Programme\ffdshow\TomsMoComp_ff.dll
    -0.0s C:\Programme\ffdshow\libmpeg2_ff.dll
    0.0s C:\Programme\ffdshow\ffdshow.ax
    0.2s C:\Programme\ffdshow\ff_wmv9.dll
    0.2s C:\Programme\ffdshow\ffdshow.ax.manifest
    0.3s C:\WINDOWS\system32\ff_vfw.dll
    0.3s C:\Programme\ffdshow\languages\
    0.3s C:\Programme\ffdshow\languages\ffdshow.1026.bg
    0.3s C:\WINDOWS\system32\ff_vfw.dll.manifest
    0.3s C:\Programme\ffdshow\languages\ffdshow.1028.tc
    0.3s C:\Programme\ffdshow\languages\ffdshow.1029.cs
    0.3s C:\Programme\ffdshow\languages\ffdshow.1031.de
    0.4s C:\Programme\ffdshow\languages\ffdshow.1033.en
    0.4s C:\Programme\ffdshow\languages\ffdshow.1034.es
    0.4s C:\Programme\ffdshow\languages\ffdshow.1035.fi
    0.4s C:\Programme\ffdshow\languages\ffdshow.1036.fr
    0.4s C:\Programme\ffdshow\languages\ffdshow.1038.hu
    0.4s C:\Programme\ffdshow\languages\ffdshow.1040.it
    0.4s C:\Programme\ffdshow\languages\ffdshow.1041.ja
    0.4s C:\Programme\ffdshow\languages\ffdshow.1042.ko
    0.5s C:\Programme\ffdshow\languages\ffdshow.1045.pl
    0.5s C:\Programme\ffdshow\languages\ffdshow.1046.br
    0.5s C:\Programme\ffdshow\languages\ffdshow.1049.ru
    0.5s C:\Programme\ffdshow\languages\ffdshow.1051.sk
    0.5s C:\Programme\ffdshow\languages\ffdshow.1053.sv
    0.5s C:\Programme\ffdshow\custom matrices\
    0.5s C:\Programme\ffdshow\languages\ffdshow.2052.sc
    0.5s C:\Programme\ffdshow\custom matrices\andreas_78er.matrix.xcm
    0.5s C:\Programme\ffdshow\custom matrices\andreas_doppelte_99er.matrix.xcm
    0.5s C:\Programme\ffdshow\custom matrices\andreas_einfache_99er.matrix.xcm
    0.5s C:\Programme\ffdshow\custom matrices\Bulletproof's Heavy Compression Matrix.xcm
    0.5s C:\Programme\ffdshow\custom matrices\Bulletproof's High Quality Matrix.xcm
    0.5s C:\Programme\ffdshow\custom matrices\CG-Animation Matrix.xcm
    0.5s C:\Programme\ffdshow\custom matrices\eqm_autogk_sharp.xcm
    0.5s C:\Programme\ffdshow\custom matrices\eqm_avc_hr.cfg
    0.5s C:\Programme\ffdshow\custom matrices\eqm_v1.xcm
    0.5s C:\Programme\ffdshow\custom matrices\eqm_v3ehr.xcm
    0.5s C:\Programme\ffdshow\custom matrices\eqm_v3hr.xcm
    0.5s C:\Programme\ffdshow\custom matrices\eqm_v3lr.xcm
    0.5s C:\Programme\ffdshow\custom matrices\eqm_v3uhr_rev2.xcm
    0.5s C:\Programme\ffdshow\custom matrices\eqm_v3ulr_rev3.xcm
    0.5s C:\Programme\ffdshow\custom matrices\hvs-best-picture.xcm
    0.5s C:\Programme\ffdshow\custom matrices\hvs-better-picture.xcm
    0.5s C:\Programme\ffdshow\custom matrices\hvs-good-picture.xcm
    0.5s C:\Programme\ffdshow\custom matrices\Low Bitrate Matrix.xcm
    0.6s C:\Programme\ffdshow\custom matrices\MPEG.xcm
    0.6s C:\Programme\ffdshow\custom matrices\pvcd.xcm
    0.6s C:\Programme\ffdshow\custom matrices\q_matrix.cfg
    0.6s C:\Programme\ffdshow\custom matrices\q_matrix2.cfg
    0.6s C:\Programme\ffdshow\custom matrices\q_matrix_def.cfg
    0.6s C:\Programme\ffdshow\custom matrices\Soulhunters V3.xcm
    0.6s C:\Programme\ffdshow\custom matrices\Soulhunters V5.xcm
    0.6s C:\Programme\ffdshow\custom matrices\Standard.xcm
    0.6s C:\Programme\ffdshow\custom matrices\Ultimate Matrix.xcm
    0.6s C:\Programme\ffdshow\custom matrices\Ultra Low Bitrate Matrix.xcm
    0.6s C:\Programme\ffdshow\custom matrices\Very Low Bitrate Matrix.xcm
    0.6s C:\Programme\ffdshow\gnu_license.txt
    0.6s C:\Programme\ffdshow\openIE.js
    0.6s C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\ffdshow\
    0.6s C:\Programme\ffdshow\Boost_Software_License_1.0.txt
    0.6s C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\ffdshow\Audiodekoder-Konfiguration.lnk
    0.7s C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\ffdshow\Videodekoder-Konfiguration.lnk
    0.7s C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\ffdshow\ffdshow deinstallieren.lnk
    0.7s C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\ffdshow\VFW-Konfiguration.lnk
    0.7s C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\ffdshow\Webseite.url


    Suspicious files ____________________________________________________________

    C:\Dokumente und Einstellungen\Markus\Anwendungsdaten\Ubisoft\Assassin's Creed Revelations\pb\pbcl.dll
    Size . . . . . . . : 950.066 bytes
    Age . . . . . . . : 51.4 days (2012-12-29 10:45:3:cool:
    Entropy . . . . . : 7.6
    SHA-256 . . . . . : 688C585B1C3C825EB7BE30FC65AA831CAE38D78B14D002FB354B703B776A76FA
    Fuzzy . . . . . . : 29.0
    The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
    Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
    Authors name is missing in version info. This is not common to most programs.
    Version control is missing. This file is probably created by an individual. This is not typical for most programs.
    Program contains PE structure anomalies. This is not typical for most programs.

    C:\Dokumente und Einstellungen\Markus\Anwendungsdaten\Ubisoft\Assassin's Creed Revelations\pb\pbcls.dll
    Size . . . . . . . : 950.066 bytes
    Age . . . . . . . : 51.4 days (2012-12-29 10:45:42)
    Entropy . . . . . : 7.6
    SHA-256 . . . . . : 688C585B1C3C825EB7BE30FC65AA831CAE38D78B14D002FB354B703B776A76FA
    Fuzzy . . . . . . : 29.0
    The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
    Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
    Authors name is missing in version info. This is not common to most programs.
    Version control is missing. This file is probably created by an individual. This is not typical for most programs.
    Program contains PE structure anomalies. This is not typical for most programs.

    C:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\PunkBuster\ACR\pb\PnkBstrK.sys
    Size . . . . . . . : 139.696 bytes
    Age . . . . . . . : 51.4 days (2012-12-29 10:45:55)
    Entropy . . . . . : 7.8
    SHA-256 . . . . . : 3EE0BAF707BC124DB1910245E1475667B0017A641B1E52F17DD508F2829E10B6
    RSA Key Size . . . : 2048
    Authenticode . . . : Valid
    Fuzzy . . . . . . : 22.0
    The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
    Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
    Authors name is missing in version info. This is not common to most programs.
    Version control is missing. This file is probably created by an individual. This is not typical for most programs.
    Program contains PE structure anomalies. This is not typical for most programs.
    The file is a device driver. Device drivers run as trusted (highly privileged) code.
    Program is code signed with a valid Authenticode certificate.

    C:\WINDOWS\system32\drivers\PnkBstrK.sys
    Size . . . . . . . : 139.696 bytes
    Age . . . . . . . : 51.4 days (2012-12-29 10:45:55)
    Entropy . . . . . : 7.8
    SHA-256 . . . . . : 3EE0BAF707BC124DB1910245E1475667B0017A641B1E52F17DD508F2829E10B6
    RSA Key Size . . . : 2048
    Authenticode . . . : Valid
    Fuzzy . . . . . . : 26.0
    The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
    Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
    Authors name is missing in version info. This is not common to most programs.
    Version control is missing. This file is probably created by an individual. This is not typical for most programs.
    The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common
    to system tools, drivers and hacking utilities.
    Program contains PE structure anomalies. This is not typical for most programs.
    The file is a device driver. Device drivers run as trusted (highly privileged) code.
    Program is code signed with a valid Authenticode certificate.
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I solved the punkbuster FPs. About the ffdshow.ax, thats a bug in HitmanPro that was introduced in build 188. There is a BETA scheduled for this wednesday which will address the problem. Thanks for reporting :thumb:
     
  13. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    See this post.
     
  14. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    C:\WINDOWS\system32\Smab.dll
    Size . . . . . . . : 394.240 bytes
    Age . . . . . . . : 1830.0 days (2008-02-15 21:18:35)
    Entropy . . . . . : 8.0
    SHA-256 . . . . . : 6A8FB0E3D0C44A021E9137F4DBE8F500962CB63B8AC5C634FBDAD3DD9CC87CED
    Fuzzy . . . . . . : 26.0
    Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
    The Entry Point of this file lies in a resource section. This is an indication of malware infection.
    The .rsrc (resources) section in this program is set to executable. This is an indication of malware infection.
    Authors name is missing in version info. This is not common to most programs.
    Version control is missing. This file is probably created by an individual. This is not typical for most programs.
    Program contains PE structure anomalies. This is not typical for most programs.
    The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common
    to system tools, drivers and hacking utilities.
     
  15. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    LOL.
    • The Entry Point of this file lies in a resource section. This is an indication of malware infection.
    • The .rsrc (resources) section in this program is set to executable. This is an indication of malware infection.
    Resources are for strings, icons, bitmaps and dialogs. Not for code entry points o_O
    I will analyze this file some more to see if it isn't malicious. Its for sure suspicious. Thanks for reporting :thumb:
     
  16. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,731
    Location:
    Germany
    Hi Erik

    Thank you very much
     
  17. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    Hi
    have a look on vt, first seen 2007, 2 detections and one is by packer, so im 99,99 % sure its clean :)
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I know. But I still don't trust it. IMO, entry point code should never be in resource section.
     
  19. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    erikloman
    :thumb: :thumb:
     
  20. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    hehe im not the Autor of this program, so i can only note u about fp :)
     
  21. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro 3.7.2 Build 189 BETA

    Changelog
    • ADDED: Kickstart blocks ransomware stealing the desktop from HitmanPro.
    • ADDED: Kickstart blocks "Image File Execution Options" hijacking.
    • ADDED: Kickstart lists the file that was added 'Most Recent as Startup' as suspicious.
    • ADDED: Kickstart keeps track of processes that are started during boot.
    • ADDED: VirusTotal API key is now embedded so it is no longer needed to register an account.
    • ADDED: /excludefile command line option to exclude files and folders from the scan.
    • ADDED: Text Log File now shows number of encountered files that were excluded from the scan.
    • ADDED: Detailed file view now shows parent process name as property.
    • ADDED: Detailed file view now lists both local and remote network connections
    • FIXED: Reveton ransomware detection caused false postives.
    • FIXED: Network Port enumerator now lists listening ports correctly.
    • IMPROVED: Force Breach process filtering.
    • IMPROVED: License activation retry mechanism.
    • UPDATED: Kickstart Bootstrap loader 1.2.
    • UPDATED: Embedded white lists.

    How to use /excludefile command line switch

    HitmanPro.exe /excludefile="c:\excludes.txt"

    Contents excludes.txt

    C:\Users\John\MyObscureMalwareCollection\
    C:\Windows\System32\paint.exe

    Make sure you end folders with a slash.

    Download build 189 from here.

    Please let me know how this version runs on your system :thumb:
     
  22. Mops21

    Mops21 Registered Member

    Joined:
    Oct 5, 2010
    Posts:
    2,731
    Location:
    Germany
    Hi

    What did you mean with your answer
     
  23. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    833
    Run Build 189 beta on the vista 32 bit and windows 7 64 bit and have no problems.....:D
     
  24. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    1,188
    Location:
    The Netherlands
    Running great here on Windows 8 64bit.
    Any new developments on HitmanPro.Alert ?
     
  25. guest

    guest Guest

    How does Hitman use virustotal service?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.